October 11, 2023
Webinar Series: Purple Teaming - Validating Detection & Response Capabilities
Life sciences businesses exist in a unique landscape, fraught with small IT teams, vast data storage needs, intricate compliance mandates, and a myriad of users. The appeal of Software as a Service (SaaS) platforms, Managed Service Providers (MSPs), and third-party vendors is evident—they offer an economically savvy, user-friendly solution to these complex challenges. However, convenience comes at a cost, prompting us to ask, "Is this secure?" While compliance with regulations like 21 CFR Part 11 provides a regulatory cushion, it's crucial to dispel the myth that compliance equates to security. The chilling wake-up call from the recent MGM and Caesars cyber incidents emphasizes the imperative of securing your digital assets, especially when using third-party services.
The cyberattacks on MGM Resorts and Caesars Entertainment have ignited public and regulatory scrutiny. At MGM, system outages created chaos, affecting everything from keycards to ATMs and slot machines. Caesars faced a devastating data breach, involving the loss of sensitive customer data like Social Security numbers. To limit the fallout, the Wall Street Journal reported that Caesars paid an exorbitant $15 million, roughly half the amount the attackers demanded to keep the data confidential. According to Lesley Carhart, Director of Incident Response at Dragos, while casino heists are sensational, life-impacting attacks on sectors like healthcare and critical infrastructure often go unreported.
A Russia-based gang known as Alphv, or BlackCat, claimed responsibility for MGM's woes. This group has previously targeted critical institutions like healthcare organizations, underscoring the point that your industry is not immune. It’s essential to note that MGM had also suffered a breach in 2019, affecting more than 10.6 million customers—highlighting that even giants in the industry can falter when it comes to security measures.
Internally, awareness training, role-based access, strong passwords, and Multi-factor Authentication (MFA) are staple measures. But third-party vendors introduce another layer of risk. Here’s how to fortify your defense:
While SaaS platforms may reduce the risks associated with vendor staff, they still come with their own set of security concerns:
Choosing vendors that conform to Open Web Application Security Project (OWASP) standards and consistently conduct penetration testing is crucial for ensuring a secure SaaS environment.
The MGM and Caesars incidents should serve as an eye-opener. While ransomware attacks may recede from the headlines, they continue to cause widespread disruption, hitting sectors you might think are impervious to such threats. In this digital age, full-scope penetration testing is not an option—it's a requirement. At NetWorks Group, we're often asked if vulnerabilities in third-party services such as SaaS and MSPs are testable. The answer is unequivocally yes.
We excel in delivering comprehensive penetration tests that cover a complete range of threat avenues—external, internal, wireless, and even social engineering and physical risks. Our approach is continually updated to integrate attack strategies akin to those that led to the security breaches at MGM and Caesars. To learn how NetWorks Group can help secure your life sciences organization, get started here.
#biotech #biotechsecurity #SaaSSecurity #lifescciencessecurity #biotechSaaS
Published By: Chris Neuwirth, Senior Penetration Tester and Scot Armstrong, Account Manager
Publish Date: October 11, 2023
Security news, tips, webinars, and more straight to your inbox.
